Start of new case 


Q1 


Does the draft guidance cover the relevant issues about the right of access? 
© Yes 
©) No 

©) Unsure / don't know 

If no or unsure/don’t know, what other issues would you like to be covered in it? 


Q2 


Does the draft guidance contain the right level of detail? 
O) Yes 
© No 
©) Unsure / don't know 


If no or unsure/don't know, in what areas should there be more detail within the draft 
guidance? 


| don't think it is clear in the case with emails what information should be provided and the manner in 
which it should be provided. IE, do you just provide the personal information contained within the email, or 
the whole redacted text with the recipient's personal information removed; and how can this be provided 
in a prtable format - presumably a paper printout or a Word document isn't sufficient - in which case 
transcribing email content into a csv document risks an infringement of privacy due to the human 
intervention in this process and the availability of the content of the email to the transcriber. 


Q3 


Does the draft guidance contain enough examples? 
© Yes 
—) No 

©) Unsure / don't know 

If no or unsure/don’t know, please provide any examples that think should be included in 
the draft guidance. 


Q4 We have found that data protection professionals often struggle with applying and 
defining ‘manifestly 


unfounded or excessive’ subject access requests. We would like to include a wide 
range of examples 


from a variety of sectors to help you. Please provide some examples of manifestly 
unfounded and excessive 
requests below (if applicable). 


We see several requests originating from territories outside the EU where the 
requestor is neither resident in the EU or an EU citizen, but mistakenly believe that 


GDPR is a global corporate requirement. For example, as US citizen living in the US 
requesting a SAR. 


Q5 Ona scale of 1-5 how useful is the draft guidance? 


1-Notatall 2-—Slightly Moderately 4-Very 5- Extremely 
useful useful useful useful useful 


© 


Q6 Why have you given this score? 


It clarifies some points, but the guidance that's really needed is how, ie to extract 
data from backed-up archives or email, rather than unhelpfully telling us that the law 
applies, but it's going to be difficult. It also seem to miss out the legal requirements 


to obtain data from third party providers and their archives, which can account for a 
significant delay. 


Q7 To what extent do you agree that the draft guidance is clear and easy to understand? 


Strongly Neither agree Strongly 
disagree Disagree nor disagree Agree agree 


© 


Q8 


Please provide any further comments or suggestions you may have about the draft 
guidance. 


This draft should be aimed at small businesses and large corporations alike. It 
presumes a corporate level of IT capability and does not provide suggestions for 
smaller companies to approach the issues. It states early on that the size of 


company should be taken into account when responding, but it provides no 
framework for this. 


Q9 Are you answering as: 


/~ An individual acting in a private capacity (eg someone providing their views as a 
— member of the public) 


© An individual acting in a professional capacity 
©.) On behalf of an organisation 

C) Other 

Please specify the name of your organisation: 


I don't feel comfortable providing this. I am responsible for Project Managing GDPR in 
our company. 


Q10 How did you find out about this survey? 
©) ICO Twitter account 
©) ICO Facebook account 
©) ICO LinkedIn account 
(C) ICO website 
© ICO newsletter 
~) ICO staff member 
|) Colleague 
©) Personal/work Twitter account 
() Personal/work Facebook account 
©) Personal/work LinkedIn account 
©) Other 


Thank you for taking the time to complete the survey 


